Security testing has had a low priority for development and quality assurance (QA) organizations during the Application Lifecycle Management (ALM) process. For many projects, security testing is limited to validating that functional requirements for user sign-on to the application system were properly developed and implemented. With the increased use of cloud computing infrastructure, mobile business applications, complex technology stacks and open source software, a business can no longer take an internalized view of security for ALM. The threats are real and need to be incorporated in all test strategies and project plans.

With the rise in cybercrime and current awareness of the risks associated with software vulnerabilities, application security is now something that needs to be designed and developed at the same time as business functionality. Security testing reviews and validatesthe software for confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Individual tests need to be conducted to prevent unauthorized access to the software code. This level of security testing is not currently performed in industry as part of the development cycle. Gartner states that more than 75% of mobile business applications would fail a basic security test. That is an alarming statistic and an indictment for the IT organization.

Business application security needs to address many questions that including the following:

• Does your application maintain privacy of your data?
• Can the data from the application be trusted and verified?
• Does the application check for individual authentication?
• Does the application properly limit you to your authorized privileges?
• Can an attacker take your application off-line or down?
• Does your application maintain an audit trail and keep event records for later verification?